Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: Curl insecure usage
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 28 Nov 2012 13:45:26 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/26/2012 11:42 AM, Kurt Seifried wrote:
On 11/26/2012 08:06 AM, Moritz Muehlenhoff wrote:
Hi, during the triage of the SSL client bugs spotted by the 
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf paper Debian 
developer Alessandro Ghedini discovered two more applications
using Curl in an insecure manner:

1. opendnssec (in the eppclient tool) 
http://lists.opendnssec.org/pipermail/opendnssec-user/2012-November/002296.html

Please

use CVE-2012-5582 for opendnssec: insecure usage of curl

2. PHPcas (used by Moodle e.g.): 
https://github.com/Jasig/phpCAS/pull/58

Please use CVE-2012-5583 for phpCAS: insecure usage of curl

Please assign CVE IDs for these.

Cheers, Moritz


Have these been receiving individual CVE's? I can't find any
offhand, can you provide examples of others?

Also can someone collate and post a list of all the other apps using
curl insecurely and need CVE's with appropriate links to the
upstreams/etc? Thanks.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQtnflAAoJEBYNRVNeJnmTZjEQALHwHy7eiJeTIs/CzryTWoYr
7Qc5vqpNWq+e2uvngFkZ/TcYZk5q3YMuvCpcGz/UFNAouTnxYWEScsbJ+zMtceP4
IuSAQepg4wogrAxXZdrhAUd7019yYP0u0tC6qR5wEJfFdIpJN3uhv4NGs30KT/dw
fVdh4bckYiz1ql04p5V81nyGS0MUKv3ECYmxbK1gzW3OajyQjuLJpS2WgQJ7PRYm
jgFR9BZjjQJ0GWA1jGJFCcCaYVrLZCtorktrGirO08FSvjYkhNIwglWicTv0bMpu
RjH1SYD45CODB9UxkyNXLGdIow3OefWXONj5VRWRXdAvBXZVqn8r8mnAaftUndWw
SY0n5479MuO4DuGv1uKplDhTU50AbYn5+HpmHXjgafocvQG+zCirLPV9uqaCt2ho
irAIAcXZCOeVfkwI/UdwxTTWK0v5gHqNOognzOgOsdrksgN4TLHes5CWOJRxp4GB
5R9bLwmqtb9Ond4M7K3tHdeBcSuhwn+d3p8dL44zQz5kbw30aJsxyHnFZINZuh3B
yKGjvgubjLtnZg7C0E+/iV2kBiDayx1Cq4j6TzwsQsR9G/vR24ZuBPh5UU6i2WoO
RP41W47pcwg+8+wmLVNu8Xibb5Hot2s5anXNZYZJLk9ZshjLYYWzcelgD/AQHY4z
FiLo5VCm2DuvCmBU1WNl
=CTJs
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]